A vulnerability exists in the Windows operating system's JScript component that can allow an attacker to execute malicious code on a user's computer.
Responsible for discovering this bug is Dmitri Kaslov of Telspace Systems, who passed it along to Trend Micro's Zero-Day Initiative (ZDI), a project that intermediates the vulnerability disclosure process between independent researchers and larger companies.
ZDI experts reported the issue to Microsoft back in January, but Microsoft has yet to release a patch for this vulnerability. Yesterday, ZDI published a
summary containing light technical details about the bug.
JScript bug leads to RCE
According to this summary, the vulnerability allows remote attackers to execute malicious code on users' PCs.
Because the vulnerability affects the
JScript component (Microsoft custom implementation of JavaScript), the only condition is that the attacker must trick the user into accessing a malicious web page, or download and open a malicious JS file on the system (typically executed via the Windows Script Host —wscript.exe).
....
.....
...
Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days
CISA Warns of Microsoft PowerPoint Code Injection Vulnerability Exploited in Attacks